Cyber Criminals Find New Online Currency Service

Since the Justice Department shut down digital currency service Liberty Reserve, a new cyber underground payment standard has emerged.

9 Android Apps To Improve Security, Privacy

(click image for larger view)

How are hackers moving money in the wake of U.S. authorities taking down online currency service Liberty Reserve?

After a temporary lull in online payment activity, cybercriminals have increasingly been turning to a service known as Perfect Money, said Idan Aharoni, the head of cyber intelligence at EMC Corp's RSA security division. "We expected a large migration to another e-currency, and that has happened," Aharoni told Reuters on Friday.

Together with shutting down the Liberty Reserve site in May, the Department of Justice charged seven employees of the Costa Rica-based operation with having facilitated $6 billion in money laundering. As part of that takedown, U.S. authorities also filed a civil action against 35 exchanger websites related to Liberty Reserve, seeking that their domain names be forfeited.

Those efforts lead to the inevitable question of how the service's existing 1 million worldwide users might next move money without leaving a trail.

Last week, an unnamed source told TechWeekEurope that multiple carder forums -- marketplaces for buying and selling stolen credit card information -- have adopted Perfect Money as their new default payment method. Other carder sites, meanwhile, have also reportedly added Perfect Money -- as well as WebMoney, also known as WMZ -- as new payment options. Still, based on chatter on underground cybercrime forums, some hackers' requests to join Perfect Money have recently been rejected on the grounds that their "type of activity is not welcome."

Could Perfect Money be actively trying to avoid the ire of U.S. banking regulators and law enforcement agencies and thus the fate suffered by Liberty Reserve? The service issued a customer advisory on June 15, warning that "all accounts that belong to U.S. citizens/residents/U.S. companies will be disabled on 1st of July." On that date, those accounts were set to be frozen, and no more transactions would be allowed. "Please do not postpone taking action to withdraw your balance," it said.

Closing out an account wouldn't be cheap, with Perfect Money charging a fixed $100 fee, plus 3% of the amount withdrawn. In addition, while the service promises a 4% annual interest rate on balances, it also charges fees for internal transfers (0.5%), wire transfer deposits (1.5% and up) and wire transfer withdrawals (4%).

On the upside, the online payment service offers more robust security than the average bank, including sending optional one-time codes sent via SMS -- each of which costs a customer $0.10 to generate -- for logging in. The service also records the IP address used to set up an account. Every time someone attempts to access a particular Perfect Money account from an IP address that's not on file, the service emails a one-time access code to the account holder's verified email address, which must be entered into the website before the transaction can proceed.

But who runs Perfect Money, and to which banking regulators might the service be answerable? That's not clear. According to some news reports, the service is based in Panama. But that country's financial regulators have said that Perfect Money has no registered offices in the country.

More clues: The service is customized for use in 20 different languages -- but says it provides customer support only in English -- and the website has been registered using Iceland's top-level domain name. The website also lists a mailing address in Hong Kong, but no phone number or email address. A query made via the website, requesting information on where the service is based, as well as what steps it's taken to avoid being targeted by U.S. financial regulators, wasn't returned.

To what extent would an e-currency service be responsible for policing its customers? Seth Ginsberg, a lawyer for former Liberty Reserve principal Mark Marmilev -- who's pleaded not guilty to money laundering charges -- said that e-currency providers shouldn't be punished because some people use the services to disguise illicit activities.

"It's my understanding that Liberty Reserve was designed to compete with mainstream financial providers. The fact that it may have been misused by various customers should not reflect on the company," Ginsburg told Reuters. Indeed, the BBC reported that many legitimate users outside the United States simply viewed Liberty Reserve as a cheaper alternative to PayPal. For example, the service offered instant transfers, and a maximum
service fee of $2.99 per transaction.

"There is a legitimate need for alternatives to the mainstream financial market, so the fact that there's another company out there filling the void left by Liberty Reserve is not surprising," Ginsburg said.

For comparison purposes, in December the Department of Justice slapped British multinational bank HSBC with a record $1.9 billion fine for its "blatant failure" to implement money-laundering controls, which resulted in terrorists being able to use the bank to move money. Aside from that fine being levied, however, no arrests were made.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.